On Wed, Oct 21, 2015 at 8:54 PM, A.L.E.C alec@alec.pl wrote:
On 10/18/2015 01:23 AM, Guilhem Moulin wrote:
Completely unrelated, please note that the “1.1.3 — Dependent” tarball includes moxieplayer.swf, while the last mention of moxieplayer in your changelog says “TinyMCE security issue: removed moxieplayer (embedding flv and mp4 is not supported anymore)”. Was it re-added by mistake? (Anyway that file is violates the DFSG and will be removed from the upcoming 1.1.3 Debian packages.)
The file was re-added with update to TinyMCE 4.x. I don't know if it's still vulnerable, the file is in a newer version according to git.
Thomas, do you remember what vulnerability it was?
Finally I found it. I just forwarded the original report to you. And here's a related commit which removed that file back in 2011: https://github.com/roundcube/roundcubemail/commit/d6284b4d22d1e
According to this page http://cxsecurity.com/issue/WLB-2013070017 the vulnerability has been fixed in TinyMCE 4.0 which we have in Roundcube 1.1.
Cheer, Thomas